All code in this section is ‘psuedo-code’ created in order to understand the basics of assembly.
Exercise
Read the pseudo-code provided and try to explain execution flow.
Use the following code for this section of the lab.
Part 1:
bits 64
default rel
extern ExitProcess
extern WSASocketA
extern connect
extern htons
extern inet_addr
extern closesocket
extern WSACleanup
Part 2:
section .data
url db "www.malienist.medium.com", 0
port dw 80
Part 3:
section .text
global main
main:
push rbp
mov rbp, rsp
sub rsp, 32
Part 4:
xor rax, rax
mov rcx, rax
call WSASocketA
Part 5:
push 2
push 1
push 6
lea rdx, [url]
push rdx
mov rdx, rax
call inet_addr
push ax
push dx
push word [port]
push rdx
call htons
push ax
push dx
push 16
push rsp
mov rdx, rax
call connect
Part 6:
push rdx
call closesocket
call WSACleanup
Part 7:
xor rax, rax
call ExitProcess
Exercise
Read the pseudo-code provided and try to explain execution flow.
Use the following code for this section of the lab.
Part 1:
bits 64
default rel
section .data
key db "SecretKey", 0
plaintext db "What part of JMP RSP dont you understand?", 0
ciphertext db 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ; placeholder for ciphertext
Part 2:
section .text
global main
main:
push rbp
mov rbp, rsp
sub rsp, 32
; Load the key into the key schedule
mov rsi, key
mov rdi, 256
call key_schedule
; Encrypt the plaintext using RC4
mov rsi, plaintext
mov rdi, ciphertext
call rc4_encrypt
; Print the ciphertext
lea rdx, [ciphertext]
call print_string
; Exit the program
xor rax, rax
call ExitProcess
Part 3:
; RC4 key scheduling algorithm
; Inputs:
; rsi - pointer to the key
; rdi - length of the key
; Modifies:
; rcx, rdx - key schedule array
key_schedule:
push r12
push r13
push rbx
xor ecx, ecx
mov edx, 256
mov ebx, 0
; Initialize key schedule array
init_key_schedule:
mov byte [rcx], cl
inc rcx
loop init_key_schedule
; Key-scheduling algorithm
mov cl, byte [rsi]
xor bl, byte [rcx-1]
xchg byte [rcx+rbx], byte [rcx]
xchg byte [rcx], bl
inc rcx
loop key_schedule
pop rbx
pop r13
pop r12
ret
Part 4:
; RC4 encryption algorithm
; Inputs:
; rsi - pointer to the plaintext
; rdi - pointer to the ciphertext
; Modifies:
; rcx, rdx - key schedule array
rc4_encrypt:
push r12
push r13
push rbx
xor ecx, ecx
xor edx, edx
; Initialize variables
mov r12, rsi
mov r13, rdi
; Encryption loop
encrypt_loop:
mov cl, byte [r12]
mov dl, byte [rcx]
add ecx, edx
xchg byte [rcx+ecx], byte [rcx]
xchg byte [rcx], al
xor byte [r13], al
inc r12
inc r13
loop encrypt_loop
pop rbx
pop r13
pop r12
ret
; Print a null-terminated string
; Input:
; rdx - pointer to the string
print_string:
push rdi
mov rdi, rdx
xor eax, eax
cld
print_loop:
Read the pseudo-code provided and try to explain execution flow.
Use the following code for this section of the lab.
section .data
filePath db 'C:\path\to\file.txt', 0
section .text
global _start
_start:
; Convert the file path to wide-character format
lea rdi, [filePath]
call ConvertToWideChar
; Call DeleteFileW to delete the file
mov rdi, rax ; Pass the converted wide-character file path
call DeleteFileW
; Check the return value of DeleteFileW
cmp rax, 0
je error
; File deleted successfully, do further processing here
; Exit the program
xor eax, eax ; Return 0 as the exit code
ret
error:
; An error occurred, exit with error code
mov eax, 1 ; Return 1 as the exit code
ret
; Function to convert a null-terminated ASCII string to wide-character format
; Returns the address of the converted string
ConvertToWideChar:
push rbp
mov rbp, rsp
; Get the length of the input string
xor rcx, rcx ; Counter
mov rsi, rdi ; Source pointer
mov dl, byte [rsi]
inc rcx
inc rsi
cmp dl, 0
jne .loop
; Allocate memory for the wide-character string
lea rdi, [rcx * 2 + 2] ; Length * 2 + 2 (for null termination)
call malloc
mov rdi, rax ; Destination pointer
xor rdx, rdx ; Counter
; Convert each character to wide-character format
.loop:
movzx eax, byte [rsi]
mov word [rdi + rdx], ax
inc rdx
inc rdx
inc rsi
cmp al, 0
jne .loop
; Null-terminate the wide-character string
mov word [rdi + rdx], 0
pop rbp
ret
section .text
extern DeleteFileW, malloc
Read the pseudo-code provided and try to explain execution flow.
Use the following code for this section of the lab.
ection .data
commandLine db "C:\path\to\program.exe", 0
startupInfo db 0
processInfo db 0
section .text
global main
extern ExitProcess
extern GetStartupInfoA
extern CreateProcessA
main:
; Get the startup information
lea rdx, [startupInfo]
call GetStartupInfoA
; Start the process
xor rax, rax ; Set rax to 0
xor r8, r8 ; Set r8 to 0
xor r9, r9 ; Set r9 to 0
xor r10, r10 ; Set r10 to 0
xor r11, r11 ; Set r11 to 0
lea rcx, [commandLine] ; Address of the command line string
lea rdi, [processInfo] ; Address of the process information
call CreateProcessA
; Check if the process creation was successful
test al, al ; Check the return value in al
jnz error ; Jump to error if an error occurred
; Process creation successful
xor eax, eax ; Set the exit status to 0 (success)
call ExitProcess
error:
; Handle process creation error
; You can implement error handling code here
Please make sure that this lab is completed before you start the rest of the workshop. If there are any issues, please raise them to the instructor.